Employers and schools in several states are now prohibited from requesting access to the social networking accounts of their employees, students, and applicants as a result of the “password protection” laws that are sweeping the nation. These laws take an expansive view of the definition of privacy by implying that viewing content on a user’s restricted-access social networking profile without his consent constitutes an invasion of privacy. Courts have consistently held that the information users post on social networking websites is, in fact, not private. Further highlighting the contrast between legislative and judicial interpretations of privacy in the context of these new technologies, the express language in one of the password protection laws declares that all Internet users have a reasonable expectation of privacy in their social networking website communications and affairs. This Article argues that password protection laws should be interpreted narrowly as only prohibiting the invasive methods used by employers and schools to gather information from social networking profiles — not as establishing in all cases that communications to which access has been restricted are private. The reasonableness of a user’s expectation of privacy in the content of his social networking profile must be determined by courts on a case-by-case basis, informed by such factors as how many people he invites to view it, the relationship between the user and his chosen audience, the exact calibration of his privacy settings, and the degree to which his digital information is guarded by the website under its privacy and data use policies.